8
$pass="test"

the above variable contains a password called test.I want to hash this password using sha512 md5 and salt how do i do that as ive found only benifits of salt and sha512,i allready know md5 encryption.please i need the solution as my system is vunerable

and please explain it with a code example because im still attached to md5

from what ive understood by your comments and answers ive got the following code

$pass="test";
$hashed_pass= openssl_digest($pass, 'sha512');

ok seems solid enough but what is [salt='']? does it generate a random salt string or something if so the how to implement it?

Scott Arciszewski
  • 33,610
  • 16
  • 89
  • 206
Dev Man
  • 2,114
  • 3
  • 23
  • 38
  • 1
    Why not use the [password_*](http://www.php.net/manual/en/ref.password.php) functions now built into PHP itself, or the [userland implementation](https://github.com/ircmaxell/password_compat) of these functions if you're not yet on PHP5.5 and the code examples for this are in the PHP docs pages – Mark Baker Feb 11 '14 at 20:20
  • Also see Openwall's [PHP password hashing framework](http://www.openwall.com/phpass/) (PHPass). Its portable and hardened against a number of common attacks on user passwords. The guy who wrote the framework (SolarDesigner) is the same guy who wrote [John The Ripper](http://www.openwall.com/john/) and sits as a judge in the [Password Hashing Competition](http://password-hashing.net/). So he knows a thing or two about attacks on passwords. – jww Oct 12 '14 at 00:41
  • a simple google query had answered all these questions – clockw0rk Oct 01 '18 at 11:53

2 Answers2

16

Edit: Since this answer still seems to be generating a bit of interest, let me steer you all towards password_hash() which is essentially a wrapper around crypt() but much simpler to use. If you're using PHP<5.5 there is password_compat which was written by the same guy and is actually linked off of the official documentation.

If you're already using crypt() it's worth noting that both password_verify() and password_needs_rehash() will work with all crypt()-style passwords, so there's hardly a reason not to update!

Use crypt(), it provides MUCH stronger hashing methods.

Hash a new password:

// generate a 16-character salt string
$salt = substr(str_replace('+','.',base64_encode(md5(mt_rand(), true))),0,16);
// how many times the string will be hashed
$rounds = 10000;
// pass in the password, the number of rounds, and the salt
// $5$ specifies SHA256-CRYPT, use $6$ if you really want SHA512
echo crypt('password123', sprintf('$5$rounds=%d$%s$', $rounds, $salt));
// output: $5$rounds=10000$3ES3C7XZpT7WQIuC$BEKSvZv./Y3b4ZyWLqq4BfIJzVHQweHqGBukFmo5MI8

Compare an existing password:

// the hash stored for the user
$given_hash = '$5$rounds=10000$3ES3C7XZpT7WQIuC$BEKSvZv./Y3b4ZyWLqq4BfIJzVHQweHqGBukFmo5MI8';
$test_pw = 'password123';

// extract the hashing method, number of rounds, and salt from the stored hash
// and hash the password string accordingly
$parts = explode('$', $given_hash);
$test_hash = crypt($test_pw, sprintf('$%s$%s$%s$', $parts[1], $parts[2], $parts[3]));

// compare
echo $given_hash . "\n" . $test_hash . "\n" . var_export($given_hash === $test_hash, true);
/* output:
$5$rounds=10000$3ES3C7XZpT7WQIuC$BEKSvZv./Y3b4ZyWLqq4BfIJzVHQweHqGBukFmo5MI8
$5$rounds=10000$3ES3C7XZpT7WQIuC$BEKSvZv./Y3b4ZyWLqq4BfIJzVHQweHqGBukFmo5MI8
true */
Sammitch
  • 30,782
  • 7
  • 50
  • 77
  • please not so advanced coding a little less confusing – Dev Man Feb 11 '14 at 20:14
  • 6
    @Yasin Well, I *could* give you a simple little snippet that strings together MD5, SHA, and a salt and end up with a hash that is trivial to crack. *OR* you could refer to the PHP documentation, look up the functions you don't understand, learn how they work together to hash passwords reasonably securely, and come out ahead in the game. – Sammitch Feb 11 '14 at 20:27
  • Hi @Sammitch, I have a question regarding PHP's crypt() function.. If we use this method to implement a login system, the $5$rounds=10000$ + salt are both stored in the database, how would that make it secure? If a hacker compromises the database, they now know how many times the password is hashed, with what type of hash as well as the salt. Their work is cut out for them? All that's left to do is to hit it with a brute force, which is just like any other type of hash when someone's trying to crack it, isn't it? – Winter Jun 02 '14 at 21:58
  • @Winter the salt and the number of rounds for the hash are not secret values. The point of a salt is to make it unfeasible to use pre-computed hash tables to determine a raw password, and the point of hashing rounds are to increase the amount of work needed to bruteforce a password. – Sammitch Jun 05 '14 at 16:57
  • @Sammitch Ah, alright. So it's perfectly safe to store this "as-is" in MySQL? – Winter Jun 05 '14 at 19:36
  • @Sammitch I apologize for hijacking his question, but I would also like to know if this crypt() method of storing passwords would be more secure than whirlpooling them? – Winter Jun 05 '14 at 20:37
6

If you are using PHP >= 5.3, the function openssl_digest should do the trick :

echo openssl_digest($pass, 'sha512');
// result
ee26b0dd4af7e749aa1a8ee3c10ae9923f618980772e473f8819a5d4940e0db27ac185f8a0e1d5f84f88bc887fd67b143732c304cc5fa9ad8e6f57f50028a8ff

echo md5($pass);
// result
098f6bcd4621d373cade4e832627b4f6

And with PHP 5.1 or 5.2, you have the hash function :

echo hash('sha512', $pass);
// result
ee26b0dd4af7e749aa1a8ee3c10ae9923f618980772e473f8819a5d4940e0db27ac185f8a0e1d5f84f88bc887fd67b143732c304cc5fa9ad8e6f57f50028a8ff

echo md5($pass);
098f6bcd4621d373cade4e832627b4f6
ZiupeX
  • 338
  • 3
  • 13
  • i need to use sha512,salt,md5 hashing all together – Dev Man Feb 11 '14 at 20:14
  • and please explain me the process of generating a random salt and hashing the password with it – Dev Man Feb 11 '14 at 20:16
  • To clarify the "result" in this answer... he used the original string from the OP: "test" to get his hash starting with ee26b0. So add at the top `$pass = 'test';` – degenerate Oct 05 '15 at 15:08